1. Method for managing the authorization of a user during 
an attempt to access an IP transport network (5) by means 
of an access network (i, 2), which method includes steps 
in which: 

a user terminal (11, 12, 13) transmits, to an IP 
service or access provider {€, 1, 8), an access 
request containing data for user authentication with 
the IP seirvice or access provider, which is 
transmitted by means of an access server (9) of the 
access network (1, 2) and the IP transport network 
(5) , so as to be sent to a remote authentication 
server (15) of the IP service or access provider, 
upon receipt of the access request, the access 
server (9) transmits a RADIUS request in accordance 
with the RADIUS protocol to a proxy server (10) of 
the access network (1, 2), 

upon receipt of the RADIUS request, the proxy server 
transmits a request for access authorization to the 
remote authentication server (15) , 
the remote authentication server (15) executes a 
user authentication procedure, on the basis of 
authentication data contained in the access request, 
and in response transmits, to the proxy server, a 
response message containing the result of the user 
authentication procedure, 
characterized in that it also includes steps in which: 

the proxy server determines, for each RADIUS request, 
received from the access server (9) and 
corresponding to an access request transmitted by a 
user terminal, whether a local authentication of the 



user transmitting the access request, at the local 
network level (1, 2), must be performed, 
if a local authentication of the user must be 
performed, the proxy server transmits, to the access 
server (9) , a request for authentication data, which 
is retransmitted to the user terminal, receives a 
response message from the user terminal by means of 
the access server, and executes a procedure for 
local authentication of the user, on the basis of 
the authentication data contained in the response 
message . 

2. Method according to claim i, characterized in that the 
authentication data request transmitted by the proxy 
server (10) to the user terminal • (11, 12, 13), if a local 
user authentication must be performed, is a challenge 
message containing a random number - 

3. Method according to claim 2, characterized in that the 
challenge message contains an indication enabling the 
user terminal to determine whether it concerns a local 
user authentication, 

4. Method according to one of claims l to 3, 
characterized in that the remote authentication of the 
user by the remote authentication server (15) includes 
steps in which: 

the remote authentication server transmits, to the 
user, a challenge message containing a random number, 
the proxy server (lo) retransmits the challenge 
message transmitted by the remote authentication 
server to the user and, in a response message. 



receives the data for user authentication with the 
remote authentication server, 

the proxy server (10) retransmits, to the remote 
authentication server, the response message 
transmitted by the user terminal, 
the proxy server (lo) receives, from the remote 
authentication server, a message containing the 
result of the user authentication. 

5. Method according to one of claims 1 to 4, 
characterized in that the proxy server determines which 
access rights to assign to the user on the basis of the 
result of the local and remote authentications of the 
user. 

6. System for managing authorization of a user during an 
attempt by a user terminal to access an IP service or 
access provider (6, 7, 8) by means of an IP transport 
network (5), which system includes: 

access networks (l, 2) to which the user terminals 
are connected, 

IP gateways (3, 4) ensuring the connection, 
respectively, between the access networks (1, 2) and 
the IP transport network (5) , 

at least one access server (9) for each access 
network, designed to transmit, upon request by the 
user terminals, RADIUS access reqiiests in accordance 
with the RADIUS protocol, 

at least one remote authentication server (15) for 
each of the ip service or access providers (6, 7, e) , 
designed to authenticate the users on the basis of 



authentication data contained in the access requests 
(50, 58) received by the authentication server, and. 
a proxy server (io> connected to the ip transport 
network, designed to retransmit each RADIUS access 
request, transmitted by one of the access servers (9) 
upon a user's request, to a remote authentication 
server (15) of an IP service or access provider 
indicated in the access request, and to retransmit, 
to the access servers, the authentication responses 
provided by the remote authentication servers (15) . 
characterized in that the proxy server includes : 

means for determining, for each RADIUS access 
request received from an access server (9) upon a 
user's request, whether or not a local 
authentication of the user transmitting the access 
request must be performed at the local network level 
(1. 2), 

means for transmitting by way of an access server, 
to a user terminal that must be locally 
authenticated, a message requesting authentication 
data, and for receiving, in response from the user 
terminal, a response message containing the 
authentication data requested, and 
means for executing a local user authentication 
procedure, on the basis of authentication 
Information contained in the response message. 

7. System according to claim 6, characterized in that the 
proxy server (10) also includes means for determining an 
overall authentication result on the basis of the local 
user authentication result and the user's authentication 
response provided by the authentication server (15) , and 



for retransmitting the overall autlientication result to 
the access server (9) , 

B. System according to claim 6 or 7, characterized in 
that each access server (9) includes a RADIUS client and 
the proxy server includes a client and a RADIUS server, 
for exchanging messages in accordance with the R?VDIUS 
protocol . 

9. System according to one of claims 6 to 8, 
characterized in that the authentication data request 
message transmitted by the proxy server (10) to locally 
authenticate the user is a challenge message, wherein the 
proxy server comprises means for generating a random 
number that is inserted into the challenge message, and 
means for verifying the response to the challenge message 
received from the user terminal. 

10. System according to one of claims 6 to 9, 
characterized in that the proxy server (10) includes 
means for determining which access rights to assign to 
the user on the basis of the result of the local and 
remote authentications of the user. 

11. Proxy server (10) for authorizing a user tertninal 
connected to an access network (1, 2) to access and IP 
service or access provider (6^ 7, 8) by means of an IP 
transport network (5) connected to the access network by 
an IP gateway (3, 4) , wherein the proxy server is 
connected to an IP transport network and includes means 
for: 



retransmitting each RADIUS access request (50, 58) 
in accordance with the RADIUS protocol, transmitted 
by an access server (9) upon the request of a user 
terminal, to a remote authentication server (15) of 
an IP service or access provider indicated in the 
access request, and 

retransmitting, to the access server, the 
authentication response provided by the remote 
authentication server (15) . 
characterized in that it also includes means for: 

determining, for each RADIUS access request received 
from an access server (9) upon a user's request, 
whether or not a local authentication of the user 
transmitting the access request must be performed at 
the local network level (1, 2) , 

transmitting, by means of an access server, to a 
user terminal that must be locally authenticated, a 
message requesting authentication data, and, in 
response, receiving from the user terminal a 
response message containing the authentication data 
requested, and 

executing a local user authentication procedure, on 
the basis of the authentication information 
contained in the response message, 

12. Computer program intended to be executed by a proxy 
server (lo) designed to authorize a user terminal 
connected to an access network (1, 2) to access an IP 
service or access provider (6, 7, 8) by means of an IP 
transport network (5) connected to the access network by 
an IP gateway (3, 4), wherein the proxy seirver is 



connected to an IP transport network, which program 

incliades instructions for: 

retransmitting each RADIUS access request (50, 58) 
in accordance with the RADIUS protocol/ transmitted 
by an access server (9) upon the request of a user 
terminal, to a remote authentication server (15) of 
an IP service or access provider indicated in the 
access request, and 

.retransmitting, to the access server, the 
authentication response provided by the remote 
authentication server (15) - 
characterized in that it also includes instructions for: 
determining, for each RADIUS access request received 
from an access server (9) upon the request of a user, 
whether or not a local authentication of the user 
transmitting the access request must be performed at 
the local network level (i, 2) , 

transmitting, by means of an access server, to a 
user terminal that must be locally authenticated, a 
message requesting authentication data, and, in 
response, receiving from the user terminal a 
response message containing the authentication data 
requested, and 

executing a local user authentication procedure, on 
the basis of authentication information contained in 
the response message . 



